From 5b450bf5d0267363907226949a7c750cdb3242ac Mon Sep 17 00:00:00 2001 From: Kazuma Watanabe Date: Wed, 30 Oct 2024 23:57:30 +0900 Subject: [PATCH] Add notes regarding security scanners --- SECURITY.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/SECURITY.md b/SECURITY.md index b267db6bb..191b42ec9 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,3 +7,6 @@ TFLint always supports only the latest version and does not provide security upd ## Reporting a Vulnerability If you find a vulnerability, please do not report it in an issue or a discussion. You can discuss vulnerabilities internally with maintainers using [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability). + +Please do not just report the results of a security scanner such as Trivy. In many cases, maintainers are already aware of the existence of vulnerable libraries via Dependabot alerts. +We welcome reports of exploits and their impact that you have analyzed based on the output of security scanners.